Before You Begin

This procedure also requires that the host is configured to use DNS.
For better performance, install the KDC and the LDAP Directory Service on
the same server. In addition, a directory server should be running. The procedure
below works with servers using the Sun JavaTM Directory
Server Enterprise Edition release.

In this example, the lines for default_realm, kdc, admin_server, and all domain_realm entries
were changed. In addition, the line that defines the help_url was
edited.

Note –

If you want to restrict the encryption types, you can set the default_tkt_enctypes or default_tgs_enctypes lines.
Refer to Using Kerberos Encryption Types for
a description of the issues involved with restricting the encryption types.

Edit the KDC configuration file (kdc.conf).

You need to change the realm name. See the kdc.conf(4) man page for a full description
of this file.

In this example, the realm name definition in the realms section
was changed. Also, in the realms section, lines to enable
incremental propagation and to select the number of updates the KDC master
keeps in the log were added.

Note –

If you want to restrict the encryption types, you can set the permitted_enctypes, supported_enctypes, or master_key_type lines. Refer to Using Kerberos Encryption Types for a description of the issues involved with restricting
the encryption types.

Edit the Kerberos access
control list file (kadm5.acl).

Once populated,
the /etc/krb5/kadm5.acl file should contain all principal
names that are allowed to administer the KDC.

kws/admin@EXAMPLE.COM *

The entry gives the kws/admin principal in the EXAMPLE.COM realm the ability to modify principals or policies in
the KDC. The default installation includes an asterisk (*) to match all admin principals. This default could be a security risk, so it is
more secure to include a list of all of the admin principals.
See the kadm5.acl(4) man
page for more information.

Start the kadmin.local command and add principals.

The next substeps create principals that are used by the Kerberos
service.

kdc1 # /usr/sbin/kadmin.local
kadmin.local:

Add administration principals to the database.

You
can add as many admin principals as you need. You must
add at least one admin principal to complete the KDC configuration
process. For this example, a kws/admin principal is added.
You can substitute an appropriate principal name instead of “kws.”

At this point, you can add principals by using the Graphical Kerberos
Administration Tool. To do so, you must log in with one of the admin principal
names that you created earlier in this procedure. However, the following command-line
example is shown for simplicity.

The host principal is used by Kerberized
applications, such as klist and kprop.
Solaris 10 clients use this principal when mounting an authenticated NFS file
system. Note that when the principal instance is a host name, the FQDN must
be specified in lowercase letters, regardless of the case of the domain name
in the /etc/resolv.conf file.

This
principal is used by the kclient utility during the installation
of a Kerberos client. If you do not plan on using this utility, then you do
not need to add the principal. The users of the kclient utility
need to use this password.

(Optional) Synchronize the master KDCs clock by using NTP
or another clock synchronization mechanism.

Installing and using
the Network Time Protocol (NTP) is not required. However, every clock must
be within the default time that is defined in the libdefaults section
of the krb5.conf file for authentication to succeed.
See Synchronizing Clocks Between KDCs and Kerberos Clients for information about NTP.